On Mon, Dec 5, 2022 at 3:01 AM Jason A. Donenfeld [off-list ref] wrote:

+       mm->def_flags |=
+               /*
+                * Don't allow state to be written to swap, to preserve forward secrecy.
+                * This works in conjunction with MAP_LOCKED in do_mmap(), below, which
+                * actually does the locking (and associated permission check and accounting).
+                * Here, VM_LOCKONFAULT together with VM_NORESERVE simply make the mlocking
+                * happen the first time it's actually used, the same as when calling
+                * mlock2(MLOCK_ONFAULT) from userspace.
+                */
+               VM_LOCKONFAULT | VM_NORESERVE |

Have you checked the interaction with this line in dup_mmap()?
"tmp->vm_flags &= ~(VM_LOCKED | VM_LOCKONFAULT);"

As the mlock.2 manpage says, "Memory locks are not inherited by a
child created via fork(2)". I think the intention here is that the VMA
should stay unswappable after fork(), right?

Of course, trying to reserve more mlocked memory in fork() would also
be problematic...